Add Rack::Protection::ReferrerPolicy. (#1291)

2020-03-13 07:10:54 -07:00 · 2020-03-13 07:10:54 -07:00 · fade5feed3
parent 3cc2394a12
commit fade5feed3
2 changed files with 27 additions and 0 deletions
--- a/rack-protection/lib/rack/protection.rb
+++ b/rack-protection/lib/rack/protection.rb
@ -14,6 +14,7 @@ module Rack
    autoload :IPSpoofing,            'rack/protection/ip_spoofing'
    autoload :JsonCsrf,              'rack/protection/json_csrf'
    autoload :PathTraversal,         'rack/protection/path_traversal'
+    autoload :ReferrerPolicy,        'rack/protection/referrer_policy'
    autoload :RemoteReferrer,        'rack/protection/remote_referrer'
    autoload :RemoteToken,           'rack/protection/remote_token'
    autoload :SessionHijacking,      'rack/protection/session_hijacking'
@ -35,6 +36,7 @@ module Rack
        use ::Rack::Protection::CookieTossing,         options if use_these.include? :cookie_tossing
        use ::Rack::Protection::ContentSecurityPolicy, options if use_these.include? :content_security_policy
        use ::Rack::Protection::FormToken,             options if use_these.include? :form_token
+        use ::Rack::Protection::ReferrerPolicy,        options if use_these.include? :referrer_policy
        use ::Rack::Protection::RemoteReferrer,        options if use_these.include? :remote_referrer
        use ::Rack::Protection::StrictTransport,       options if use_these.include? :strict_transport

--- a/rack-protection/lib/rack/protection/referrer_policy.rb
+++ b/rack-protection/lib/rack/protection/referrer_policy.rb
@ -0,0 +1,25 @@
+require 'rack/protection'
+
+module Rack
+  module Protection
+    ##
+    # Prevented attack::   Secret leakage, third party tracking
+    # Supported browsers:: mixed support
+    # More infos::         https://www.w3.org/TR/referrer-policy/
+    #                      https://caniuse.com/#search=referrer-policy
+    #
+    # Sets Referrer-Policy header to tell the browser to limit the Referer header.
+    #
+    # Options:
+    # referrer_policy:: The policy to use (default: 'strict-origin-when-cross-origin')
+    class ReferrerPolicy < Base
+      default_options :referrer_policy => 'strict-origin-when-cross-origin'
+
+      def call(env)
+        status, headers, body = @app.call(env)
+        headers['Referrer-Policy'] ||= options[:referrer_policy]
+        [status, headers, body]
+      end
+    end
+  end
+end